Cybersecurity regulations and guidelines for protecting clients’ information and privacy aren’t new, especially for insurance agencies affiliated with financial institutions such as banks.
Due to the extremely specific nature of the information required to affirm compliance with state cybersecurity regulations, ILSA cannot make this affirmation on your behalf. Still, we understand the importance of cybersecurity and data privacy. That’s why we collaborate with Renaissance Systems, Inc. (RSI) to offer you a full range of cybersecurity solutions.
RSI’s best-in-class automated cyber risk management tools and professional services help you quickly identify your weaknesses across employees, processes, technology, and vendors. Once you know where your risks are, their experts help you develop a remediation plan to address these vulnerabilities. They then provide the tools and resources you need to keep your entire company cyber aware and compliant.
These tools and resources address the regulations that apply to your business, including:
- New York Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
- NAIC Insurance Data Security Model Law (NAIC 668)
- California Consumer Privacy Act (CCPA)
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
By going through ILSA to get RSI’s services, you receive our discounted monthly rate. Also, there’s no contract required. You get the help you need for as long as you need it!
New York Took Cybersecurity to a New Level
On March 1, 2017, the State of New York implemented 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies. This regulation requires all individuals and entities operating under “a license, registration, charter, certificate, permit, accreditation or similar authorization under Banking Law, the Insurance Law or the Financial Services Law” to have and maintain a cybersecurity program. Even entities who qualify for partial exemptions still must complete a number of compliance tasks.
New York passed the regulation in the wake of several high-profile cybersecurity breaches, in particular the Equifax breach in 2017. This single incident at one of the nation’s largest credit bureaus left nearly 148 million consumers vulnerable to identity theft and similar crimes. Then a 2015 cyberattack on Anthem, the second-largest health insurer in the U.S., proved that insurance companies were just as vulnerable.
Subsequently, the National Association of Insurance Commissioners followed New York’s lead by passing its own Model Law in October 2017. To date, eight states have adopted the Model Law. A number of other states also have similar cybersecurity laws under consideration.
Key Components of a Cybersecurity Program
Per the NAIC Model Law, the objectives of a cybersecurity program are:
- Protect the security and confidentiality of nonpublic information and the security of the information system
- Protect against any threats or hazards to the security or integrity on nonpublic information and the information system
- Defend against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer; and
- Define and periodically reevaluate a schedule for retention of nonpublic information and provide a mechanism for its destruction when no longer needed.
Licensees must document their cybersecurity programs with written policies and then periodically certify compliance with state regulators.
Each state’s regulation varies in its particulars, of course, but they have certain common key requirements:
- Risk Assessment
- Protection of Data Integrity
- Application Security
- Informed Oversight of the Information Security Program
- Employee Training and Monitoring
- Oversight of Third-Party Service Providers
- Incident Response and Notification Plan
What specific sanctions states will impose on those who fail to comply isn’t yet clear. However, the laws allow regulators broad authority to enforce compliance.
Privacy Concerns and Data Security
The second trend in information security involves data privacy. Data privacy isn’t the same as cybersecurity, although some protective measures overlap. Cybersecurity focuses on the hardware and software used to store and manipulate data, and the procedures for using such systems. Data privacy, on the other hand, focuses on the rights of the individuals or companies that generate that data to know who collects their information and how it is used.
Firstly, the European Union’s General Data Protection Regulation (GDPR), adopted in 2016, greatly expanded data privacy protections for its citizens. Then California passed its own law, the California Consumer Privacy Act (CCPA) in 2018. The exact scope and terms of the CCPA are still in flux as California passes amendments to the original law and companies impacted by the law challenge it in court. On May 29, 2019, Nevada also expanded the scope of its online privacy law to include CCPA-style provisions. Subsequently, a number of other states have introduced similar legislation.
Still not sure if you need help?